FBI Tech Tuesday: Building a Digital Defense Against Facebook Messenger Frauds
FBI Tech Tuesday: Building a Digital Defense Against Facebook Messenger Frauds
When a lot of cyber security Guru focusing the nuclear power and critical facilities. It looks they also requires to includes the power substation. From techincal point of view, control central will be hardening both console and network environment. But how about the configuration console for substation? Does it allow install the configuration software (IEC 61850 system configurator) on notebook for outdoor work? Siemens IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC products are affected by a security vulnerability which could allow an attacker to either exfiltrate limited data from the system or to execute code with operating system user permissions. Cyber security attack will be exploited different channels. But the major pathway is the product vulnerabilities.
Official announcement by Siemens shown as below:
Status update: 30th Jul 2018
A vulnerability confirm by vendor that a Denial-of-Service occurs in EN100 Ethernet Communication Module and SIPROTEC 5 relays.
Official announcement by Siemens shown as below:
Cyber defense facilities today are very strong and effecive to fight against different of cyber attacks. Even though stealer deploy DNS steal technique to exfiltrate the data from a firm. Anti cyber technology have their way to quarantine and deny such activities. Perhaps you said the IoT devices attack that wreaked hovac worldwide. It is hard to avoid. But it still have resolution. Cyber security vendor deploy network discover facitiles. No matter Dot one X or non Dot one X devices they can find. So it looks perfect, no any concern any more. But why we still have cyber attack incident happens today?
The Next Cyber Battleground
Sound scary! The Next Cyber Battleground
Expert predict that digital infrastructure is the high target to receive cyber attack. That is even through smart City, manufacturing automation, geospatial data system,..etc.
Some experts believe cyber incidents go underreported in the nuclear sector. The reason is that the Nuclear Regulatory Commission only requires the reporting of incidents that affect the safety, security functions, or emergency preparedness of the plant. May be it do not want to caused a public panic.
We heard cyber attack to SCADA in frequent. Whether SCADA contains design weakness or there is other factor?
The SCADA Data Gateway (SDG) is a Windows™ application used by System Integrators and Utilities to collect data from OPC, IEC 60870-6 (TASE.2/ICCP), IEC 61850, IEC 60870-5, DNP3, or Modbus Server/Slave devices and then supplies this data to other control systems supporting OPC, IEC 60870-6 (TASE.2/ICCP) Client, IEC 60870-5, DNP3, and/or Modbus Client/Master communication protocols.
The core component supporting SCADA infrastructure build by Microsoft products in common. And therefore the attack surface will be divided in several ways. We understand that Nuclear facilties do not provided any public web portal. So direct attacks looks not possible. However Microsoft office products has full market coverage in the world. It is rare that people not using MS-Word for word processing work, right? As a matter of fact, hacker now transform MS office product become a cyber attack media. They re-use former MS office vulnerabilities. It has possibilities execute the Infiltration. From technical point of view, even though attacker send out the RTF format of file. It is also workable.
Remark: RTF is a text file format used by Microsoft products, such as Word and Office. RTF, or Rich Text Format, files were developed by Microsoft in 1987 for use in their products and for cross-platform document interchange. RTF is readable by most word processors.
Hackers are using Microsoft Word documents (or more specifically, RTF files listed with a “.doc” extension) to trick people into opening the files.
On this discussion objective, I am not going to drill into any technical details. But our aim would like to provides hints see whether it can enrich the security awareness.
Below details common bad mailicious MS-word documents checklist for reference.
|722154A36F32BA10E98020A8AD758A7A||MD5||FILENAME:CV Controls Engineer.docx|
|243511A51088D57E6DF08D5EF52D5499||MD5||FILENAME:CV Control Engeneer.docx|
|277256F905D7CB07CDCD096CECC27E76||MD5||FILENAME:CV Jon Patrick.docx|
|5C6A887A91B18289A70BDD29CC86EBDB||MD5||FILENAME:High R-Value Energy.docx|
|78E90308FF107CE38089DFF16A929431||MD5||FILENAME:CV Jon Patrick.docx|
|C1529353E33FD3C0D2802BB558414F11||MD5||FILENAME:Build Hydroelectric Turbine.docx|
|038A97B4E2F37F34B255F0643E49FC9D||MD5||FILENAME:Controls Engineer (2).docx|
|31008DE622CA9526F5F4A1DD3F16F4EA||MD5||FILENAME:Controls Engineer (4).docx|
|5ACC56C93C5BA1318DD2FA9C3509D60B||MD5||FILENAME:Controls Engineer (7).docx|
|65A1A73253F04354886F375B59550B46||MD5||FILENAME:Controls Engineer (3).docx|
|8341E48A6B91750D99A8295C97FD55D5||MD5||FILENAME:Controls Engineer (5).docx|
|99AA0D0ECEEFCE4C0856532181B449B1||MD5||FILENAME:Controls Engineer (8).docx|
Happy hunting – bye!
Ukrainian intel agency has claimed it stopped a cyber attack against a chlorine plant that was launched using the notorious VPNFilter malware. Perhaps the world focusing VPN filter malware spreading and infection. We known earlier last month that such attack targets are the low end wireless router and network access storage (NAS).
However, from my point of view is that the main stream of the cyber attack so far happening not limit to this incident. The fact is that lure the attacker interest to do the re-engineering of their attacks seems maintain on Microsoft office product. What is the key component? Yes, it is OLE objective linking and embedding. Or you may say, if I am following Microsoft patch Tue remediation schedule it will be safe. It looks correct. But normal RTF file, it was able to avoid detection by many security products. And therefore attacker conduct similar hacking technology to execute cyber attack in Ukrainian. The political situation of Ukrainian given a never ending story. Meanwhile the world never without using MS office document!
Headlines news – Ukraine claims it blocked VPNFilter attack at chemical plant : https://www.theregister.co.uk/2018/07/13/ukraine_vpnfilter_attack/
My speculation on how Cisco (Talos) found the malware (VPNFilter malware)
THE 2018 WORLD CUP lure hacker interest, a breeding ground for hackers. The phishing campaign linked to the start of the FIFA World Cup where cyber-criminals attempt to lure would-be victims into downloading. For instance, Games, email and related information. Such download contain malware and let the downloader become cyber attack victim.
How do you defend against this football (malware)? 1. Use and maintain antivirus software. 2. Keep software and operating systems up-to-date. 3. Be wary of downloading files from websites. 4. Think before you Click!
Headline News :
A fascinating, unusual story which creates an eerie atmosphere. The security report issued by Kaspersky on 10th May 2018 driven my interest to do this study. So the report equivalent to enlightenment my conception.
A tremendous potential cyber attack found by Cisco. Thereby it announced to public last week. They reveal this unknown story to the world. And therefore the major security focus shift to a new malware. As a result, we know the technical specifications of malware so called “VPNFilter”. However, similar cyber attacks was encountered in past. A similarity of those cyber attacks are focusing the public facilities especially nuclear power facility , gas and water supply system as the major target. We bring your attentions today for OPC UA (Object Linking and Embedding for Process Control Unified Automation) to OPC Unified Architecture (OPC UA) system vulnerabilities. Those vulnerabilities are not running in high profile. But it requires technical people for attention.
About OPC & OPC Unified Architecture
OPC is an industry standard, it defines methods for exchanging realtime automation data between PC-based clients using Microsoft operating systems. The organization that manages this standard is the OPC Foundation. OPC Unified Architecture (OPC UA) is a machine to machine communication protocol for industrial automation developed by the OPC Foundation.
Overview of OPC Unified Architecture
Kaspersky technical findings
Referring to technical report announced by Kaspersky on 10th May 2018. The key critical design flaws are shown as below:
It turned out that part of the network services in the system we analyzed communicated over the OPC UA protocol and most executable files used a library named “uastack.dll”. ………
…………After developing a basic set of mutations (bitflip, byteflip, arithmetic mutations, inserting a magic number, resetting the data sequence, using a long data sequence), we managed to identify the first vulnerability in uastack.dll. It was a heap corruption vulnerability, successful exploitation of which could enable an attacker to perform remote code execution (RCE), in this case, with NT AUTHORITY/SYSTEM privileges.
Hints – See whether below assembly language source code (call OpcUa-memory_Alloc@4) can provides any idea to you in this regard.
2. In the process of analyzing the application, found that it used the XmlDocument function, which was vulnerable to XXE attacks for .NET versions 4.5 and earlier.
Hints: What is XXE attack? Below picture shown traditional XXE attack for reference.This XXE attack so called billion laughs attack .
Remark: By disabling DTDs, application developers are also able to strengthen the parser’s ability to protect itself against DoS (denial of service) attacks.
Upon inspection, the OPC UA requires the following library files.
libeay32.dll, ssleay32.dll, and uastack.dll
The above library file (ssleay32.dll) belongs to OpenSSL 1.0.2j. It was configured and built with the options no-idea, no-mdc2, no-ntt, and no-rc5 to avoid patent issues. If bugs are found in the version of OpenSSL. You may compile and use your own version because this is a open source program.
Reminder: Kaspersky Labs identified 17 zero-day vulnerabilities in OPC Foundation open source code. For more details about the report, please refer below url for reference.
— End —
The cyber attacks are wreak havoc today. In order to protect the power facility, water supply, Gas supply and petroleum industry daily operations. The SCADA control system vendor implemented security control in their system infrastructure. However when vulnerabilities encounter on their products. The remediation step of the vendor response sometimes not in effecient. For instance, Advantech one of the key player of SCADA WebAccess. But it lack of motivation to drive the remedation solution on their products. There is no official announcement how to do the remedation on their products so far. Vulnerabilities are shown as below:
CVE-2018-7499 – buffer overflow vulnerabilities which may allow an attacker to execute arbitrary code
CVE-2018-7503 – a path transversal vulnerability which may allow an attacker to disclose sensitive
CVE-2018-7505 – information on the target TFTP application has unrestricted file uploads to the web application without authorization, which may allow an attacker to execute arbitrary code.
CVE-2018-10591 – allow an attacker can create a malicious web site, steal session cookies, and access data of authenticated users.
CVE-2018-10590 – exposure vulnerability through directory listing has been identified, which may allow an attacker to find important files that are not normally visible.
CVE-2018-10589 – WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-7497 – several untrusted pointer dereference vulnerabilities have been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-8845 – a heap-based buffer overflow vulnerability has been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-7495 – an external control of file name or path vulnerability has been identified, which may
CVE-2018-8841- allow an attacker to delete files.
an improper privilege management vulnerability may allow an authenticated user to modify files when read access should only be given to the user.
CVE-2018-7501 – several SQL injection vulnerabilities have been identified, which may allow an attacker to disclose sensitive information from the host.
The Gas and Petroleum industries requires automation to enhance their overall operation in last decade. And therefore the automation system setup requires Supervisory control and data acquisition (SCADA). We noticed that hackers targeted SCADA system installed in nuclear power facilities. We are living in digital age and therefore electricity power supply similar air and water. So system automation hardware vendor has responsibility to hardening their system design. Siemens found vulnerability in their Automation Technology Process control systems (PCS 7) on April last month. For more details, please refer below url for reference.
1. A denial of service vulnerability exists in the remote procedure call (RPC) facility due to a failure in communicating with the NTLM security provider when performing authentication of RPC requests. An anonymous attacker could exploit the vulnerability by sending a specially crafted RPC authentication request to a computer over the network. An attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.
2. GetMachineName ( ) copies machine name to a fixed 32 byte buffer causes problem occurs.
PHP is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.
Security concern by security experts
The security issues are typically exposed when PHP code makes use of system-level calls.
Found critical security problem today! – Original release date: April 27, 2018
The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit one of these vulnerabilities to take control of an affected system.
See whether any short term remediation can take before upgrade?
1.Restrict PHP Information Leakage
2.Disable Remote Code Execution
3.Not show errors to the visitors
4.Disable Dangerous PHP Functions (php.ini)
5.Upload Files (/etc/php.d/ directory)
6.Control File System Access
always keep the open_basedir directive set to the /var/www/html directory.
7.Control the POST Size (/etc/php.d/security.ini)
— End —
As a world justice leader it is hard to avoid to enhance the military setup. From the cold war till today, international atmosphere not significant change the protection definition. This circumstances match the logic since that man kind will be protect himself and his belongs. However a problem encountered was that how to despose or handle the big power killer weapons especially outdate nuclear bomb. Headline news (REUTERS) yesterday said that America’s has nuclear headache. For more details, please refer below url for reference.
Remark: Send that radioactive stuffs to moon and other planet looks a possible solution. However it is hard to avoid incident occurs during transportation. A reminder is that Plutonium has a radioactive half-life of 24,000 years. So where can they go?